1

Possible Duplicate:
how safe are PDO prepared statements

So I was looking into PDO to replace all the mysql queries in my php. The main reason I am doing this is for security and ease in coding. I was just wondering though, as far as security is concerned. Once I finish replacing any mysql query calls as well as any data I am capturing from users with PDO, what should I be looking into putting inbetween the prepare and the execute of the query? Or will that take care of security. I guess I just don't understand where the security comes in with PDO. Here is an example of some of my code for getting user input then placing it in the database. Any issues with this? Or improvements I could do?

<?php
session_start();
include("dbgear.php");

$var1 = $_POST['stuff1'];
$var2 = $_POST['stuff2'];
$var3 = $_POST['stuff3'];
$var4 = $_POST['stuff4'];
$var5 = $_SESSION['stuff5'];
$vardate = date("M d, Y h:i A");


$info = "INSERT INTO comments SET     name=:user,class=:class,comment=:commentarea,date=:date,detector=:detector";


$send = $connect->prepare($info);
$send->execute(array(':user'=>$var1,':class'=>$var2,':commentarea'=>$var3,':date'=>$var4,':detector'=>$var5));

?>
Community
  • 1
  • 1
user1815581
  • 13
  • 3
  • The security (which is actually a by-product) comes from the SQL commands being sent separately from the data values to the server, no string interpolation takes place. In real prepared statement mode, that is. In PDOs emulation mode, the ->execute will simply escape the raw values. Which is why you don't have to bother. (About values. Different thing with dynamic identifiers or variant queries[...](http://stackoverflow.com/a/8255054/345031)) – mario Nov 12 '12 at 23:32

1 Answers1

2

You dont have to worry about what you put in your database. Everything (security-wise) is handled by PDO.

But keep in mind that if you use the data later on your website, it can contain javascript (XSS injection). So always filter your users data, cast integers to int, filter html that users upload etc before you enter it in your database to get to most secure approach.

Green Black
  • 5,037
  • 1
  • 17
  • 29